Enable GPG checks of channel artifacts #268
Conversation
spyrkob
commented
Jun 18, 2024
spyrkob
commented
- Initial SignatureValidator API
- Pass GPG setting to dependant channels
- Update validator signatur
- Add SignatureValidator implementation
- Use return status instead of exceptions
- Report validation errors
- Add keyserver support to the validator
- Create channel version 2.1.0
|
@jmesnil could you review this please? It's a large one, if it makes it easy I can split it up into spec/API changes and implementation PRs. |
| } | ||
|
|
||
| @JsonIgnore | ||
| public boolean requiresGpgCheck() { |
There was a problem hiding this comment.
do we need this method as it kind of duplicates isGpgCheck?
There was a problem hiding this comment.
I added it to avoid having to check isGpgCheck() for null every time, but I think it just made it more confusing, I'm happy to remove it.
There was a problem hiding this comment.
+1, let's store the field as a boolean and deal only once with the nullability of the Boolean param in the constructor.
There was a problem hiding this comment.
I ended up keeping the field as a Boolean to allow channels without gpg-check fields to be deserialized & serialized without changes. The public getter deals with the null check
| @JsonProperty(value = "resolve-if-no-stream") NoStreamStrategy noStreamStrategy) { | ||
| @JsonProperty(value = "resolve-if-no-stream") NoStreamStrategy noStreamStrategy, | ||
| @JsonProperty(value = "gpg-check") Boolean gpgCheck, | ||
| @JsonProperty(value = "gpg-keys") List<String> gpgUrls) { |
There was a problem hiding this comment.
there is a mismatch between the json property gpg-keys and the java field gpgUrls.
What are the String representing? keys or URLs?
There was a problem hiding this comment.
The fields contains URLs where the keys can be downloaded from. Originally I called the field gpg-urls, later renamed it to gpg-keys to follow YUM naming, but I suppose that's not really required.
doc/spec.adoc
Outdated
| @@ -76,6 +77,8 @@ A channel is composed of several fields: | |||
| ** `maven-latest` - a version marked as `latest` in the Maven metadata | |||
| ** `maven-release` - a version marked as `release` in the Maven metadata | |||
| ** `none` - do not attempt to resolve versions of artifact not listed in the `streams` collection. Default value if no strategy is provided. | |||
| * Optional `gpg-check` boolean indicating if the artifacts resolved from this channel have to have a valid GPG signature. | |||
There was a problem hiding this comment.
s/have to have/must be checked with ?
There was a problem hiding this comment.
Does this sound better?
"Optional gpg-check boolean indicating that during artifact resolution, this channel will verify a signature of every artifact. If the artifact signature cannot be found, or cannot be validated, the artifact will not be resolved from the channel. The channel repositories must contain a detached GPG signature paired with the artifact as described below."
doc/spec.adoc
Outdated
| @@ -76,6 +77,8 @@ A channel is composed of several fields: | |||
| ** `maven-latest` - a version marked as `latest` in the Maven metadata | |||
| ** `maven-release` - a version marked as `release` in the Maven metadata | |||
| ** `none` - do not attempt to resolve versions of artifact not listed in the `streams` collection. Default value if no strategy is provided. | |||
| * Optional `gpg-check` boolean indicating if the artifacts resolved from this channel have to have a valid GPG signature. | |||
| * Optional `gpg-key` a list of URLs that the public GPG keys used to validate artifact signatures are resolved from. | |||
There was a problem hiding this comment.
s/gpg-key/gpg-keys
Optional `gpg-keys` a list of URLs corresponding to the public GPG keys used to validate artifact signatures.
If gpg-check is true, gpg-keys must be set too, right?
There was a problem hiding this comment.
Not necessary. The client using wildfly-channels may have a local keystore that's used to resolve the required public keys, or they can use public keyservers.
The gpg-keys field was meant to be an optional way to provide the channel definition with a way to pass information were the key may be found.
| ### Changelog | ||
|
|
||
| ### Version 2.1.0 | ||
|
|
||
| * Adding ability to verify artifact signatures |
There was a problem hiding this comment.
could you please also add the fields added in this version?
pom.xml
Outdated
| @@ -31,10 +31,12 @@ | |||
| <version.org.jboss.logging>3.6.0.Final</version.org.jboss.logging> | |||
| <version.org.apache.commons.commons-lang3>3.14.0</version.org.apache.commons.commons-lang3> | |||
| <version.org.apache.httpcomponents.httpclient>4.5.14</version.org.apache.httpcomponents.httpclient> | |||
| <version.org.bouncycastle>1.76</version.org.bouncycastle> | |||
There was a problem hiding this comment.
Are the versions of the added dependencies aligned with WildFly Core (or WildFly)?
There was a problem hiding this comment.
Looks like I'm a bit behind with the WildFly Core, updated now
| <version>${version.org.assertj}</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>org.pgpainless</groupId> |
There was a problem hiding this comment.
is that a new dependency in the WildFly ecosystem? (it's the first I hear from it)
There was a problem hiding this comment.
Yes it's a new dependency. I used it for writing tests only as it makes GPG key operations much easier. If that's a problem I can re-write the tests to remove it
| * The order of returned URLs is the same as order of coordinates. | ||
| * | ||
| * @param coords - list of ChannelMetadataCoordinate. | ||
| * @param optional - if artifact is optional, the method will return an empty collection if no versions are found |
There was a problem hiding this comment.
it's not clear to me what "if artifact is optional" means? When would an artifact be optional?
There was a problem hiding this comment.
This is about blocklist. According to the spec, if no blocklist can be resolved at specified coordinates, the channel should ignore this blocklist:
If no blocklist artifact can be resolved with supplied Maven coordinates, the channel treats it as an empty blocklist.
The idea behind it was to allow for a channel definition that would later add a blocklist.
Either way, this should probably be its own issue and PR, I'll create one
spyrkob
force-pushed
the
mvn_verify
branch
3 times, most recently
from
cbb8103
to
005f85b
Compare
spyrkob
force-pushed
the
mvn_verify
branch
3 times, most recently
from
049320a
to
5f1f025
Compare
|
@jmesnil this should be ready for re-review, sorry about the delay. Again if it's easier I can break this down into smaller PRs (e.g. API/Spec changes vs implementation) |
